The UpGuard Data Breach Research Team can now disclose the story of how nearly 14,000 documents containing financial, medical, and personal information were exposed by Medico Inc., a healthcare vendor that provides billing and insurance data processing. These documents, amounting to approximately 1.7GB of PDFs, spreadsheets, text files, and images, include explanations of insurance benefits, insurance claims, medical records and reports, legal documents, and internal business data for Medico itself (CSR Score 637). Much personally identifiable information (PII) for individuals whose medical business was processed by Medico is present in these documents, including bank account and routing numbers, insurance details, social security numbers (SSNs), and more.
The healthcare industry has a problem with data breaches. This refrain has been sung for years, even decades, as medical, financial and personal information continue to be exposed by healthcare providers, insurers, and the vendors they entrust with this data. Healthcare is unique in that it serves as a nexus for the bureaucracy of the financial sector, the personal information of the governmental sector, and the sensitive medical information native to its practice. All three of these types of data are at risk, and the risk is high.
In coordinating the responsible disclosure of this leak we learned of another, separate leak of Medico information in a different Amazon S3 bucket. Our report will only pertain to the bucket we analyzed. Read more about the second leak at Databreaches.net
On the afternoon of June 20th, 2019, the UpGuard Data Breach Research Team detected an exposed Amazon S3 bucket by the name of “medicoar” that appeared to have potentially sensitive files related to healthcare. After analyzing the data, it was determined that the bucket was operated by Medico Inc., based on the name and contents. Medico was contacted by UpGuard the next day, June 21st, and within hours the bucket was closed, preventing any possible future exploitation of this data by malicious actors. This quick response and action greatly helps the individuals whose data is present in an exposure, and should serve as an example to any organization facing a breach.
According to their website, Medico’s vision is “to be the ‘partner of choice’ for medical billing for healthcare providers and medical practices.” Their site claims they have processed over a million claims for 400+ providers and 100+ medical practices. Medico claims to “take security very seriously.” According to their site, “various steps have been taken to ensure data protection and network security.” Among the services offered by Medico are medical billing, transcription, and coding, as well as compliance audits, consulting services for medical practices, and credentialing. All of these services point to the type and amount of data discovered in the exposed storage bucket, which lines up with what one would expect from such operations.
There were several different kinds of data among the exposed dataset, each with their own consequences and sensitivity. See UpGuard’s taxonomy of sensitive data types for more information on what kind of data gets exposed and why it matters. Nearly all of the files analyzed by UpGuard dated from late 2018. The exposed Medico data can be categorized into the following:
- Business Data - Documents, correspondence, and other details pertinent to the inner operations of Medico Inc. This includes progress metrics, saved emails, credentials used by the company, and employee files.
- Medical Data - Medical information on individuals including complaints, diagnoses, doctor notes, prescriptions, medical histories, and handwritten chart notes that were digitized.
- Insurance Data - Insurance claims, responses by insurers, explanations of benefits, billing, payments, and other financials.
- Legal Data - Subpoenas and requests for medical information on individuals, usually pertinent to injury lawsuits.
A dangerous business practice is to store or transmit plain text passwords. Included in the Medico dataset was a spreadsheet of account names and default passwords. With the exposure of credentials, it is foreseeable that a malicious actor could not only exfiltrate all the data in the misconfigured S3 bucket, but gain access to systems and data utilizing the credentials found inside.
Many of the spreadsheets contained in the exposed dataset were password protected. Password protecting documents can help prevent data from being accessed without authorization, adding a second layer of protection in the event of a data exposure such as this one. However, by sending the password to those spreadsheets in plain text over email, and then backing up that email as a .msg file, anyone with access to the dataset can easily access all of the protected documents utilizing that password as well. Although UpGuard did not use the password to open the files, it appeared obvious that the password present in this redacted example was for the password protected Excel spreadsheets in the exposed dataset.
Finally, there are many spreadsheets of Medico business data, such as processing metrics, project progress, and client status. The sensitivity depends on the particular document, but chances are internal reports are meant to be internal for a reason-- the data they contain might be damaging to the company or their customers. The collection taken together could offer advantageous insights into Medico’s operations.
Exam Details and Treatment Notes
Among the medical data present in the exposed data set are exam and treatment notes for conditions ranging from mental illness to cancer. No redactions were discovered in UpGuard’s analysis of the data, meaning that every document had full personal details. Some included handwritten notes that had been scanned or faxed back into a digital format.
The types of individuals were varied, but included groups like minors and veterans.
Also present were prescription details showing medication histories, orders, and purchases.
Explanations of Benefits and Payments
Many of the document present in the dataset are the explanation of benefits (EOB) documents common with health insurers that explain how much of a particular claim was covered and the reason why. Many are explanations of payments, the documents received by providers from insurers who are paying claims.
These documents often contain personal information such as contact details, insurance policy numbers, and employer details. But more damaging is that they often contain details of the medical treatment being billed, opening yet another attack vector of medical history on the individuals exposed.
Other common insurance forms other than EOBs were present as well. In those cases where the insurer was reimbursing money to an individual, repayment methods were present, including in some cases cash cards with full details, including CVV.
Billing and Payment Information
Some of the most obviously sensitive data were the billing and payment details present in many of the exposed files. These include the cost and payment schedule of treatments, and in some cases, bank account and routing numbers, and even full scans of checks.
Fraud is a possible consequence of such information being leaked, since a single check contains the data necessary to impersonate some kinds of electronic payments.
Subpoenas and Requests for Medical Records
Another type of document present in the exposed data set are legal requests for medical records. These typically come from attorneys and their offices, but also organizations like the Office of Veteran Affairs. Although these documents don’t contain any medical data themselves, they do have PII on the individuals whose information is being requested, including SSN in full. Many of these requests have to do with active litigation, being requested by the individual’s representation for the purposes of an injury trial.
The impact of such information being exposed should be self-evident. In addition to the obvious fraud potential of banking information and PII, the privacy violation of having one’s personal medical history, medications, appointments, and issues made publicly available can’t be overstated. Not only do people trust companies to handle this data with care, they have no choice but to trust them, being entangled in the bureaucracy of insurance and billing, making the mishandling of this data even more egregious.
The healthcare ecosystem is a complex series of interrelationships in which multiple vendors, insurers, practices, and providers share and copy information to serve their business functions. A vendor such as Medico interfaces with multiple entities on both the provider and the insurer side. When a third party such as this faces an exposure, the effects can be far reaching, and difficult to understand. But to the individual, the person whose data is contained in the exposed set, the consequences of exposure are the same-- a breach of trust, a violation of privacy, and problems brought on by the very act of seeking and receiving help.
Why does this keep happening? The problem of data exposures in healthcare is well covered, and has been for years. It’s not a lack of awareness or information that allows it to go unchecked. The HIPAA data protection standard was created as a framework for making healthcare data portable and keeping organizations accountable. HIPAA was enacted in 1996, and has been in force for over twenty years-- yet breaches keep happening.
The overwhelming majority of data exposures occur because resources housing sensitive data have been misconfigured. These misconfigurations occur due to poor operation processes that fail to account for the risk of data exposure, both in primary systems and in third party vendors. Only by proactively addressing these risks, building not just security, but risk mitigation, into data handling operations, can such errors and oversights be addressed in a timely enough way to prevent exposed data from being exploited.
One example of problematic processes is when digital information is printed and then re-digitized to include handwritten data.
This type of scattering of information across multiple media adds significantly to the surface risk of every piece of data handled in this way.
Furthermore, the laws and regulations holding healthcare entities responsible must have teeth. They must be enforced, and the penalties must make it so that companies are better off doing the right thing than taking the chance of a breach and paying any penalties should they come up.
The EU’s GDPR is a good model to begin to understand how companies can be held accountable for their actions (or inaction) in protecting the data from which they derive profit. Without such enforcement things will continue as they are, a grim prospect for anyone concerned about data privacy.
Finally, the entity responsible for the exposure is often not the entity most directly impacted. IT work is often outsourced due to the subject area knowledge required to operate complex or specialized systems, increasing exposure to third-party risk. Small and medium businesses may rely on vendors who they have little to no ability to audit on their own. The interconnectedness of healthcare, finance, and technology companies requires improvement of security practices, and visibility into those practices, across the board to reduce data leaks like this one.